<html><head><title>Burp Scanner Report</title>
<meta http-equiv="Content-Security-Policy" content="default-src 'none';img-src 'self' data:;style-src 'unsafe-inline'" />
<style type="text/css">
body { background: #dedede; font-family: 'Droid sans', Helvetica, Arial, sans-serif; color: #404042; -webkit-font-smoothing: antialiased; }
#container { width: 930px; padding: 0 15px; margin: 20px auto; background-color: #ffffff; }
table { font-family: Arial, sans-serif; }
a:link, a:visited { color: #ff6633; text-decoration: none; transform: 0.3s; }
a:hover, a:active { color: #e24920; text-decoration: underline; }
h1 { font-size: 1.6em; line-height: 1.4em; font-weight: normal; color: #404042; }
h2 { font-size: 1.3em; line-height: 1.2em; padding: 0; margin: 0.8em 0 0.3em 0; font-weight: normal; color: #404042;}
h4 { font-size: 1.0em; line-height: 1.2em; padding: 0; margin: 0.8em 0 0.3em 0; font-weight: bold; color: #404042;}
.rule { height: 0px; border-top: 1px solid #404042; padding: 0; margin: 20px -15px 0 -15px; }
.title { color: #ffffff; background: #ff6633; margin: 0 -15px 10px -15px; overflow: hidden; }
.title h1 { color: #ffffff; padding: 10px 15px; margin: 0; font-size: 1.8em; }
.title img { float: right; display: inline; padding: 1px; }
.heading { background: #404042; margin: 0 -15px 10px -15px; padding: 0; display: inline-block; overflow: hidden; }
.heading img { float: right; display: inline; margin: 8px 10px 0 10px; padding: 0; }
table.overview_table { border: 2px solid #e6e6e6; margin: 0; padding: 5px;}
table.overview_table td.info { padding: 5px; background: #dedede; text-align: right; border-top: 2px solid #ffffff; border-right: 2px solid #ffffff; }
table.overview_table td.info_end { padding: 5px; background: #dedede; text-align: right; border-top: 2px solid #ffffff; }
table.overview_table td.colour_holder { padding: 0px; border-top: 2px solid #ffffff; border-right: 2px solid #ffffff; }
table.overview_table td.colour_holder_end { padding: 0px; border-top: 2px solid #ffffff; }
table.overview_table td.label { padding: 5px; font-weight: bold; }
table.summary_table td { padding: 5px; background: #dedede; text-align: left; border-top: 2px solid #ffffff; border-right: 2px solid #ffffff; }
table.summary_table td.icon { background: #404042; }
.colour_block { padding: 5px; text-align: right; display: block; font-weight: bold; }
.high_certain { border: 2px solid #f00; background: #f00; }
.high_firm { border: 2px solid #f66; background: #f66; }
.high_tentative { border: 2px solid #fcc; background: #fcc; }
.medium_certain { border: 2px solid #f90; background: #f90; }
.medium_firm { border: 2px solid #ffc266; background: #ffc266; }
.medium_tentative { border: 2px solid #ffebcc; background: #ffebcc; }
.low_certain { border: 2px solid #fe0; background: #fe0; }
.low_firm { border: 2px solid #fff566; background: #fff566; }
.low_tentative { border: 2px solid #fffccc; background: #fffccc; }
.info_certain { border: 2px solid #ababab; background: #ababab; }
.info_firm { border: 2px solid #cdcdcd; background: #cdcdcd; }
.info_tentative { border: 2px solid #eee; background: #eee; }
.row_total { border: 1px solid #dedede; background: #fff; }
.grad_mark { padding: 4px; border-left: 1px solid #404042; display: inline-block; }
.bar { margin-top: 3px; }
.TOCH0 { font-size: 1.0em; font-weight: bold; word-wrap: break-word; }
.TOCH1 { font-size: 0.8em; text-indent: -20px; padding-left: 50px; margin: 0; word-wrap: break-word; }
.TOCH2 { font-size: 0.8em; text-indent: -20px; padding-left: 70px; margin: 0; word-wrap: break-word; }
.BODH0 { font-size: 1.6em; line-height: 1.2em; font-weight: normal; padding: 10px 15px; margin: 0 -15px 10px -15px; display: inline-block; color: #ffffff; background-color: #ff6633; width: 100%; word-wrap: break-word; }
.BODH0 a:link, .BODH0 a:visited, .BODH0 a:hover, .BODH0 a:active { color: #ffffff; text-decoration: none; }
.BODH1 { font-size: 1.3em; line-height: 1.2em; font-weight: normal; padding: 13px 15px; margin: 0 -15px 0 -15px; display: inline-block; width: 100%; word-wrap: break-word; }
.BODH1 a:link, .BODH1 a:visited, .BODH1 a:hover, .BODH1 a:active { color: #404042; text-decoration: none; }
.BODH2 { font-size: 1.0em; font-weight: bold; line-height: 2.0em; width: 100%; word-wrap: break-word; }
.PREVNEXT { font-size: 0.7em; font-weight: bold; color: #ffffff; padding: 3px 10px; border-radius: 10px;}
.PREVNEXT:link, .PREVNEXT:visited { color: #ff6633 !important; background: #ffffff !important; border: 1px solid #ff6633 !important; text-decoration: none; }
.PREVNEXT:hover, .PREVNEXT:active { color: #fff !important; background: #e24920 !important; border: 1px solid #e24920 !important; text-decoration: none; }
.TEXT { font-size: 0.8em; padding: 0; margin: 0; word-wrap: break-word; }
TD { font-size: 0.8em; }
.HIGHLIGHT { background-color: #fcf446; }
.rr_div { border: 2px solid #ff6633; width: 916px; word-wrap: break-word; -ms-word-wrap: break-word; margin: 0.8em 0; padding: 5px; font-size: 0.8em; max-height: 300px; overflow-y: auto; }

div.scan_issue_false_positive_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_high_certain_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_high_firm_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_high_tentative_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_info_certain_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_info_firm_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_info_tentative_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_low_certain_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_low_firm_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_low_tentative_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_medium_certain_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_medium_firm_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_medium_tentative_rpt{width: 32px; height: 32px; background-image: url()}


@media print {
    body { width: 100%; color: #000000; position: relative; }
    #container { width: 98%; padding: 0; margin: 0; }
    h1 { color: #000000; }
    h2 { color: #000000;}
    .rule { margin: 20px 0 0 0; }
    .title { color: #000000; margin: 0 0 10px 0; padding: 10px 0; }
    .title h1 { color: #000000; }
    .title img { margin: -3px 0; }
    .heading { margin: 0 0 10px 0; }
    .BODH0 { color: #000000; }
    .BODH1 { color: #000000; }
    .PREVNEXT { visibility: hidden; display: none; }
    .rr_div { width: 98%; margin: 0.8em auto; max-height: none !important; overflow: hidden; }
}

</style>
</head>
<body>
<div id="container">
<div class="title"><img src="" width="184" height="58"><h1>Burp Scanner Report</h1></div>
<h1>Summary</h1>
<span class="TEXT">The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as High, Medium, Low or Information. This reflects the likely impact of each issue for a typical organization. Issues are also classified according to confidence as Certain, Firm or Tentative. This reflects the inherent reliability of the technique that was used to identify the issue.</span><br><br><table cellpadding="0" cellspacing="0" class="overview_table">
    <tr>
        <td width="70">&nbsp;</td>
        <td width="90">&nbsp;</td>
        <td colspan="4" height="40" align="center" class="label">Confidence</td>
    </tr>
    <tr>
        <td width="70">&nbsp;</td>
        <td width="90">&nbsp;</td>
        <td width="82" height="30" class="info">Certain</td>
        <td width="82" height="30" class="info">Firm</td>
        <td width="82" height="30" class="info">Tentative</td>
        <td width="82" height="30" class="info_end">Total</td>
    </tr>
    <tr>
        <td rowspan="4" valign="middle" class="label">Severity</td>
        <td class="info" height="30">High</td>
        <td class="colour_holder"><span class="colour_block high_certain">0</span></td>
        <td class="colour_holder"><span class="colour_block high_firm">0</span></td>
        <td class="colour_holder"><span class="colour_block high_tentative">0</span></td>
        <td class="colour_holder_end"><span class="colour_block row_total">0</span></td>
    </tr>
    <tr>
        <td class="info" height="30">Medium</td>
        <td class="colour_holder"><span class="colour_block medium_certain">0</span></td>
        <td class="colour_holder"><span class="colour_block medium_firm">0</span></td>
        <td class="colour_holder"><span class="colour_block medium_tentative">0</span></td>
        <td class="colour_holder_end"><span class="colour_block row_total">0</span></td>
    </tr>
    <tr>
        <td class="info" height="30">Low</td>
        <td class="colour_holder"><span class="colour_block low_certain">1</span></td>
        <td class="colour_holder"><span class="colour_block low_firm">2</span></td>
        <td class="colour_holder"><span class="colour_block low_tentative">1</span></td>
        <td class="colour_holder_end"><span class="colour_block row_total">4</span></td>
    </tr>
    <tr>
        <td class="info" height="30">Information</td>
        <td class="colour_holder"><span class="colour_block info_certain">8</span></td>
        <td class="colour_holder"><span class="colour_block info_firm">3</span></td>
        <td class="colour_holder"><span class="colour_block info_tentative">0</span></td>
        <td class="colour_holder_end"><span class="colour_block row_total">11</span></td>
    </tr>
</table><br>
<span class="TEXT">The chart below shows the aggregated numbers of issues identified in each category. Solid colored bars represent issues with a confidence level of Certain, and the bars fade as the confidence level falls.</span><br><br><table cellpadding="0" cellspacing="0" class="overview_table">
    <tr>
        <td width="70">&nbsp;</td>
        <td width="90">&nbsp;</td>
        <td colspan="6" height="40" align="center" class="label">Number of issues</td>
    </tr>
    <tr>
        <td width="70">&nbsp;</td>
        <td width="90">&nbsp;</td>
        <td width="125"><span class="grad_mark">0</span></td>
        <td width="125"><span class="grad_mark">1</span></td>
        <td width="125"><span class="grad_mark">2</span></td>
        <td width="125"><span class="grad_mark">3</span></td>
        <td width="125"><span class="grad_mark">4</span></td>
    </tr>
    <tr>
        <td rowspan="3" valign="middle" class="label">Severity</td>
        <td class="info">High</td>
        <td colspan="5" height="30">
            <table cellpadding="0" cellspacing="0"><tr><td><img class="bar" src="" width="0" height="16"></td><td><img class="bar" src="" width="0" height="16"></td><td><img class="bar" src="" width="0" height="16"></td></tr></table>
        </td>
        <td>&nbsp;</td>
    </tr>
    <tr>
        <td class="info">Medium</td>
        <td colspan="5" height="30">
            <table cellpadding="0" cellspacing="0"><tr><td><img class="bar" src="" width="0" height="16"></td><td><img class="bar" src="" width="0" height="16"></td><td><img class="bar" src="" width="0" height="16"></td></tr></table>
        </td>
        <td>&nbsp;</td>
    </tr>
    <tr>
        <td class="info">Low</td>
        <td colspan="5" height="30">
            <table cellpadding="0" cellspacing="0"><tr><td><img class="bar" src="" width="125" height="16"></td><td><img class="bar" src="" width="250" height="16"></td><td><img class="bar" src="" width="125" height="16"></td></tr></table>
        </td>
        <td>&nbsp;</td>
    </tr>
</table>

<div class="rule"></div>
<h1>Contents</h1>
<p class="TOCH0"><a href="#1">1.&nbsp;Flash cross-domain policy</a></p>
<p class="TOCH0"><a href="#2">2.&nbsp;Open redirection (DOM-based)</a></p>
<p class="TOCH0"><a href="#3">3.&nbsp;Link manipulation (DOM-based)</a></p>
<p class="TOCH1"><a href="#3.1">3.1.&nbsp;https://www.baidu.com/</a></p>
<p class="TOCH1"><a href="#3.2">3.2.&nbsp;https://www.baidu.com/</a></p>
<p class="TOCH0"><a href="#4">4.&nbsp;Duplicate cookies set</a></p>
<p class="TOCH0"><a href="#5">5.&nbsp;SSL cookie without secure flag set</a></p>
<p class="TOCH0"><a href="#6">6.&nbsp;Cookie scoped to parent domain</a></p>
<p class="TOCH0"><a href="#7">7.&nbsp;Cross-domain script include</a></p>
<p class="TOCH0"><a href="#8">8.&nbsp;Cookie without HttpOnly flag set</a></p>
<p class="TOCH0"><a href="#9">9.&nbsp;HTML5 storage manipulation (DOM-based)</a></p>
<p class="TOCH1"><a href="#9.1">9.1.&nbsp;https://www.baidu.com/</a></p>
<p class="TOCH1"><a href="#9.2">9.2.&nbsp;https://www.baidu.com/</a></p>
<p class="TOCH1"><a href="#9.3">9.3.&nbsp;https://www.baidu.com/</a></p>
<p class="TOCH0"><a href="#10">10.&nbsp;Robots.txt file</a></p>
<p class="TOCH0"><a href="#11">11.&nbsp;Cacheable HTTPS response</a></p>
<p class="TOCH0"><a href="#12">12.&nbsp;SSL certificate</a></p>
<br><div class="rule"></div>
<span class="BODH0" id="1">1.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00200400_flashcrossdomainpolicy">Flash cross-domain policy</a></span>
<br><a class="PREVNEXT" href="#2">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Low</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>https://www.baidu.com</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/crossdomain.xml</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.<br><br>Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.<br><br>Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.</span>
<h2>Issue background</h2>
<span class="TEXT"><p>The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain that publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.</p>
<p>Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application that allows access. Any domains that are allowed by the Flash cross-domain policy should be reviewed to determine whether it is appropriate for the application to fully trust both their intentions and security posture. </p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>Any inappropriate entries in the Flash cross-domain policy file should be removed.</p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive Cross-domain Whitelist</a></li>
</ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET <span class="HIGHLIGHT">/crossdomain.xml</span> HTTP/1.1<br>Host: www.baidu.com<br>Connection: close<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Content-Length: 305<br>Content-Type: text/xml<br>Server: bfe<br>Date: Sun, 20 Mar 2022 08:13:51 GMT<br>Connection: close<br><br>&lt;?xml version="1.0"?&gt;<br>&lt;cross-domain-policy&gt;<br> &nbsp;&nbsp;&nbsp;&lt;allow-access-from domain="<span class="HIGHLIGHT">*.baidu.com</span>" /&gt;<br>    &lt;allow-access-from domain="<span class="HIGHLIGHT">*.bdstatic.com</span>" /&gt;<br> &nbsp;&nbsp;&nbsp;&lt;allow-http-request-headers-from domain="*.baidu.com" headers<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="2">2.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00500110_openredirectiondombased">Open redirection (DOM-based)</a></span>
<br><a class="PREVNEXT" href="#1">Previous</a>
&nbsp;<a class="PREVNEXT" href="#3">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_tentative_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Low</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Tentative</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>https://www.baidu.com</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The application may be vulnerable to DOM-based open redirection. Data is read from <b>document.location.href</b> and passed to <b>location.href</b>.</span>
<h2>Issue background</h2>
<span class="TEXT"><p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of the DOM (for example, the URL) and processes this data in an unsafe way.</p>

<p>DOM-based open redirection arises when a script  writes controllable data into the target of a redirection in an unsafe way. An attacker may be able to use the vulnerability to  construct a URL that, if visited by another application user, will cause a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.</p>
<p><b>Note:</b> If an attacker is able to control the start of the string that is passed to the redirection API, then it may be possible to escalate this vulnerability into a JavaScript injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary script code when the URL is processed by the browser.</p>

<p>Burp Suite automatically identifies this issue using static code analysis, which may lead to false positives that are not actually exploitable. The relevant code and execution paths should be reviewed to determine whether this vulnerability is indeed present, or whether mitigations are in place that would prevent exploitation.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically set redirection targets using data that originated from any untrusted source. If the desired functionality of the application means that this behavior is unavoidable, then defenses must be implemented within the client-side code to prevent malicious data from introducing an arbitrary URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that are permitted redirection targets, and strictly validating the target against this list before performing the redirection.</p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/601.html">CWE-601: URL Redirection to Untrusted Site ('Open Redirect')</a></li>
</ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET / HTTP/1.1<br>Host: www.baidu.com<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en<br>User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)<br>Connection: close<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Bdpagetype: 1<br>Bdqid: 0xcbd633e3001bb730<br>Cache-Control: private<br>Content-Type: text/html;charset=utf-8<br>Date: Sun, 20 Mar 2022 08:13:48 GMT<br>Expires: Sun, 20 Mar 2022 08:13:43 GMT<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>Server: BWS/1.1<br>Set-Cookie: BAIDUID=B24527D752029D12A554D889B42E8B59:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: BIDUPSID=B24527D752029D12A554D889B42E8B59; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: PSTM=1647764028; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: BAIDUID=B24527D752029D1293FCA8A27FDD2AEF:FG=1; max-age=31536000; expires=Mon, 20-Mar-23 08:13:48 GMT; domain=.baidu.com; path=/; version=1; comment=bd<br>Set-Cookie: BDSVRTM=0; path=/<br>Set-Cookie: BD_HOME=1; path=/<br>Set-Cookie: H_PS_PSSID=36070_35106_31660_35978_34584_36142_36120_36075_36109_35984_35321_26350_36094_36062; path=/; domain=.baidu.com<br>Strict-Transport-Security: max-age=172800<br>Traceid: 1647764028045589761014687984284767860528<br>X-Frame-Options: sameorigin<br>X-Ua-Compatible: IE=Edge,chrome=1<br>Connection: close<br>Content-Length: 349370<br><br>&lt;!DOCTYPE html&gt;&lt;!--STATUS OK--&gt;<br><br><br>    &lt;html&gt;&lt;head&gt;&lt;meta http-equiv="Content-Type" content="text/html;charset=utf-8"&gt;&lt;meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"&gt;&lt;meta content="always"<br><b>...[SNIP]...</b><br>&lt;script&gt;(function(){<span class="HIGHLIGHT">var hashMatch=document.location.href.match(/#+(.*wd=[^&amp;]+)/);</span>if(hashMatch&amp;&amp;hashMatch[0]&amp;&amp;hashMatch[1]){var css='body {display: none}',head=document.head||document.getElementsByTagName('head')[0],style=document.createElement('style');if(style.styleSheet){style.styleSheet.cssText = css;}else{style.appendChild(document.createTextNode(css));}head.appendChild(style);<span class="HIGHLIGHT">location.href="//"+location.host+"/s?"+hashMatch[1];</span>}})();&lt;/script&gt;<br><b>...[SNIP]...</b><br></span></div>
<h2>Static analysis</h2>Data is read from <b>document.location.href</b> and passed to <b>location.href</b> via the following statements:<ul><li><pre>var hashMatch=document.location.href.match(/#+(.*wd=[^&amp;]+)/);</pre></li><li><pre>location.href="//"+location.host+"/s?"+hashMatch[1];</pre></li></ul><div class="rule"></div>
<span class="BODH0" id="3">3.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00501000_linkmanipulationdombased">Link manipulation (DOM-based)</a></span>
<br><a class="PREVNEXT" href="#2">Previous</a>
&nbsp;<a class="PREVNEXT" href="#4">Next</a>
<br>
<br><span class="TEXT">There are 2 instances of this issue:
<ul>
<li><a href="#3.1">/</a></li>
<li><a href="#3.2">/</a></li>
</ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of the DOM (for example, the URL) and processes this data in an unsafe way.</p>
<p>DOM-based link manipulation  arises when a script writes controllable data to a navigation target within the current page, such as a clickable link or the submission URL of a form. An attacker may be able to use the vulnerability to construct a URL that, if visited by another application user, will modify the target of links within the response. An attacker may be able to leverage this to perform various attacks, including:</p>
<ul>
<li>Causing the user to redirect to an arbitrary external URL, to facilitate a phishing attack.</li><li>Causing the user to submit sensitive form data to a server controlled by the attacker.</li><li>Causing the user to perform an unintended action within the application, by changing the file or query string associated with a link.</li><li>Bypassing browser anti-XSS defenses by injecting on-site links containing XSS exploits, since browser anti-XSS defenses typically do not operate on on-site links.</li></ul>
<p>Burp Suite automatically identifies this issue using static code analysis, which may lead to false positives that are not actually exploitable. The relevant code and execution paths should be reviewed to determine whether this vulnerability is indeed present, or whether mitigations are in place that would prevent exploitation.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>The most effective way to avoid DOM-based link manipulation vulnerabilities is not to dynamically set the target URLs of links or forms using data that originated from any untrusted source. If the desired functionality of the application means that this behavior is unavoidable, then defenses must be implemented within the client-side code to prevent malicious data from introducing an arbitrary URL as a link target. In general, this is best achieved by using a whitelist of URLs that are permitted link targets, and strictly validating the target against this list before setting the link target.</p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input Validation</a></li>
</ul></span>
<br><br><div class="rule"></div>
<span class="BODH1" id="3.1">3.1.&nbsp;https://www.baidu.com/</span>
<br><a class="PREVNEXT" href="#3.2">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Low</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>https://www.baidu.com</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The application may be vulnerable to DOM-based link manipulation. Data is read from <b>location.href</b> and passed to <b>the 'source' property of a DOM element</b>.</span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET / HTTP/1.1<br>Host: www.baidu.com<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en<br>User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)<br>Connection: close<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Bdpagetype: 1<br>Bdqid: 0xcbd633e3001bb730<br>Cache-Control: private<br>Content-Type: text/html;charset=utf-8<br>Date: Sun, 20 Mar 2022 08:13:48 GMT<br>Expires: Sun, 20 Mar 2022 08:13:43 GMT<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>Server: BWS/1.1<br>Set-Cookie: BAIDUID=B24527D752029D12A554D889B42E8B59:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: BIDUPSID=B24527D752029D12A554D889B42E8B59; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: PSTM=1647764028; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: BAIDUID=B24527D752029D1293FCA8A27FDD2AEF:FG=1; max-age=31536000; expires=Mon, 20-Mar-23 08:13:48 GMT; domain=.baidu.com; path=/; version=1; comment=bd<br>Set-Cookie: BDSVRTM=0; path=/<br>Set-Cookie: BD_HOME=1; path=/<br>Set-Cookie: H_PS_PSSID=36070_35106_31660_35978_34584_36142_36120_36075_36109_35984_35321_26350_36094_36062; path=/; domain=.baidu.com<br>Strict-Transport-Security: max-age=172800<br>Traceid: 1647764028045589761014687984284767860528<br>X-Frame-Options: sameorigin<br>X-Ua-Compatible: IE=Edge,chrome=1<br>Connection: close<br>Content-Length: 349370<br><br>&lt;!DOCTYPE html&gt;&lt;!--STATUS OK--&gt;<br><br><br>    &lt;html&gt;&lt;head&gt;&lt;meta http-equiv="Content-Type" content="text/html;charset=utf-8"&gt;&lt;meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"&gt;&lt;meta content="always"<br><b>...[SNIP]...</b><br>&lt;/script&gt;<span class="HIGHLIGHT">&lt;script type="text/javascript" src="https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js"&gt;</span>&lt;/script&gt;<br><b>...[SNIP]...</b><br></span></div>
<h2>Request 2</h2>
<div class="rr_div"><span>GET /r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js HTTP/1.1<br>Host: pss.bdstatic.com<br>Connection: close<br><br></span></div>
<h2>Response 2</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Server: JSP3/2.0.14<br>Date: Sun, 20 Mar 2022 08:13:52 GMT<br>Content-Type: text/javascript; charset=utf-8<br>Content-Length: 484312<br>Connection: close<br>Expires: Wed, 23 Mar 2022 08:07:17 GMT<br>Last-Modified: Thu, 17 Mar 2022 07:32:05 GMT<br>Etag: "db44a791e7fcd9db6c6ce7aed9fa6912"<br>Age: 395<br>Accept-Ranges: bytes<br>Content-MD5: 20Snkef82dtsbOeu2fppEg==<br>x-bce-content-crc32: 1902625111<br>x-bce-debug-id: alq1qytQMtIsDuynJxZYXIRM/+lhmav7OVmkoEMt9oJH4cu1OjOsbbdX7BM701H2gEBktAvJfscV1Icif42X2A==<br>x-bce-request-id: 3080d7a6-3804-48b6-ba2c-a12071be0867<br>x-bce-storage-class: STANDARD<br>Ohc-Cache-HIT: xactcache77 [2]<br>Ohc-File-Size: 484312<br>Cache-Control: max-age=31536000<br>Timing-Allow-Origin: *<br>Access-Control-Allow-Origin: *<br><br>function addEV(e,t,n){window.attachEvent?e.attachEvent("on"+t,n):window.addEventListener&amp;&amp;e.addEventListener(t,n,!1)}function _aMC(e){for(var t=e,n=-1;t=t.parentNode;)if(n=parseInt(t.getAttribute("id"<br><b>...[SNIP]...</b><br>ery)),Cookie.get("ispeed")&amp;&amp;(c+="&amp;rsv_ispeed="+Cookie.get("ispeed")),/ssl_sample/.test(location.href)){var d=location.href.match(/ssl_sample=[^=&amp;]+/i);<br>c+="&amp;rsv_"+d[0]}if(/ssl_s=/.test(location.href)){<span class="HIGHLIGHT">var d=location.href.match(/ssl_s=[^=&amp;]+/i);</span><span class="HIGHLIGHT">c+="&amp;rsv_"+d[0]</span>}<span class="HIGHLIGHT">c+="&amp;rsv_ssl="+("https:"===location.protocol?1:0),c+="&amp;path="+encodeURIComponent(n),c+="&amp;rsv_did="+(bds.comm.did?bds.comm.did:""),s.src=c</span>}return!0}function TagQ(e,t){return t.getElementsByTagName(e)}function h(e){e.style.behavior="url(#default#homepage)",e.setHomePage(bds.comm.domain);var t=window["BD_PS_C"+(new Date).getTime()]=new Ima<br><b>...[SNIP]...</b><br></span></div>
<h2>Static analysis</h2>Data is read from <b>location.href</b> and passed to <b>the 'source' property of a DOM element</b> via the following statements:<ul><li><pre>var d=location.href.match(/ssl_s=[^=&amp;]+/i);</pre></li><li><pre>c+="&amp;rsv_"+d[0]</pre></li><li><pre>c+="&amp;rsv_ssl="+("https:"===location.protocol?1:0),c+="&amp;path="+encodeURIComponent(n),c+="&amp;rsv_did="+(bds.comm.did?bds.comm.did:""),s.src=c</pre></li></ul><div class="rule"></div>
<span class="BODH1" id="3.2">3.2.&nbsp;https://www.baidu.com/</span>
<br><a class="PREVNEXT" href="#3.1">Previous</a>
&nbsp;<a class="PREVNEXT" href="#9.1">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Low</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>https://www.baidu.com</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The application may be vulnerable to DOM-based link manipulation. Data is read from <b>location.href</b> and passed to <b>the 'source' property of a DOM element</b>.</span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET / HTTP/1.1<br>Host: www.baidu.com<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en<br>User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)<br>Connection: close<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Bdpagetype: 1<br>Bdqid: 0xcbd633e3001bb730<br>Cache-Control: private<br>Content-Type: text/html;charset=utf-8<br>Date: Sun, 20 Mar 2022 08:13:48 GMT<br>Expires: Sun, 20 Mar 2022 08:13:43 GMT<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>Server: BWS/1.1<br>Set-Cookie: BAIDUID=B24527D752029D12A554D889B42E8B59:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: BIDUPSID=B24527D752029D12A554D889B42E8B59; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: PSTM=1647764028; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: BAIDUID=B24527D752029D1293FCA8A27FDD2AEF:FG=1; max-age=31536000; expires=Mon, 20-Mar-23 08:13:48 GMT; domain=.baidu.com; path=/; version=1; comment=bd<br>Set-Cookie: BDSVRTM=0; path=/<br>Set-Cookie: BD_HOME=1; path=/<br>Set-Cookie: H_PS_PSSID=36070_35106_31660_35978_34584_36142_36120_36075_36109_35984_35321_26350_36094_36062; path=/; domain=.baidu.com<br>Strict-Transport-Security: max-age=172800<br>Traceid: 1647764028045589761014687984284767860528<br>X-Frame-Options: sameorigin<br>X-Ua-Compatible: IE=Edge,chrome=1<br>Connection: close<br>Content-Length: 349370<br><br>&lt;!DOCTYPE html&gt;&lt;!--STATUS OK--&gt;<br><br><br>    &lt;html&gt;&lt;head&gt;&lt;meta http-equiv="Content-Type" content="text/html;charset=utf-8"&gt;&lt;meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"&gt;&lt;meta content="always"<br><b>...[SNIP]...</b><br>&lt;/script&gt;<span class="HIGHLIGHT">&lt;script type="text/javascript" src="https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js"&gt;</span>&lt;/script&gt;<br><b>...[SNIP]...</b><br></span></div>
<h2>Request 2</h2>
<div class="rr_div"><span>GET /r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js HTTP/1.1<br>Host: pss.bdstatic.com<br>Connection: close<br><br></span></div>
<h2>Response 2</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Server: JSP3/2.0.14<br>Date: Sun, 20 Mar 2022 08:13:52 GMT<br>Content-Type: text/javascript; charset=utf-8<br>Content-Length: 484312<br>Connection: close<br>Expires: Wed, 23 Mar 2022 08:07:17 GMT<br>Last-Modified: Thu, 17 Mar 2022 07:32:05 GMT<br>Etag: "db44a791e7fcd9db6c6ce7aed9fa6912"<br>Age: 395<br>Accept-Ranges: bytes<br>Content-MD5: 20Snkef82dtsbOeu2fppEg==<br>x-bce-content-crc32: 1902625111<br>x-bce-debug-id: alq1qytQMtIsDuynJxZYXIRM/+lhmav7OVmkoEMt9oJH4cu1OjOsbbdX7BM701H2gEBktAvJfscV1Icif42X2A==<br>x-bce-request-id: 3080d7a6-3804-48b6-ba2c-a12071be0867<br>x-bce-storage-class: STANDARD<br>Ohc-Cache-HIT: xactcache77 [2]<br>Ohc-File-Size: 484312<br>Cache-Control: max-age=31536000<br>Timing-Allow-Origin: *<br>Access-Control-Allow-Origin: *<br><br>function addEV(e,t,n){window.attachEvent?e.attachEvent("on"+t,n):window.addEventListener&amp;&amp;e.addEventListener(t,n,!1)}function _aMC(e){for(var t=e,n=-1;t=t.parentNode;)if(n=parseInt(t.getAttribute("id"<br><b>...[SNIP]...</b><br>s.comm.indexSid),bds.comm.lastVoiceQuery&amp;&amp;(c+="&amp;rsv_lavo="+encodeURIComponent(bds.comm.lastVoiceQuery)),Cookie.get("ispeed")&amp;&amp;(c+="&amp;rsv_ispeed="+Cookie.get("ispeed")),/ssl_sample/.test(location.href)){<span class="HIGHLIGHT">var d=location.href.match(/ssl_sample=[^=&amp;]+/i);</span><br><span class="HIGHLIGHT">c+="&amp;rsv_"+d[0]</span>}if(/ssl_s=/.test(location.href)){var d=location.href.match(/ssl_s=[^=&amp;]+/i);c+="&amp;rsv_"+d[0]}<span class="HIGHLIGHT">c+="&amp;rsv_ssl="+("https:"===location.protocol?1:0),c+="&amp;path="+encodeURIComponent(n),c+="&amp;rsv_did="+(bds.comm.did?bds.comm.did:""),s.src=c</span>}return!0}function TagQ(e,t){return t.getElementsByTagName(e)}function h(e){e.style.behavior="url(#default#homepage)",e.setHomePage(bds.comm.domain);var t=window["BD_PS_C"+(new Date).getTime()]=new Ima<br><b>...[SNIP]...</b><br></span></div>
<h2>Static analysis</h2>Data is read from <b>location.href</b> and passed to <b>the 'source' property of a DOM element</b> via the following statements:<ul><li><pre>var d=location.href.match(/ssl_sample=[^=&amp;]+/i);</pre></li><li><pre>c+="&amp;rsv_"+d[0]</pre></li><li><pre>c+="&amp;rsv_ssl="+("https:"===location.protocol?1:0),c+="&amp;path="+encodeURIComponent(n),c+="&amp;rsv_did="+(bds.comm.did?bds.comm.did:""),s.src=c</pre></li></ul><div class="rule"></div>
<span class="BODH0" id="4">4.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00400a00_duplicatecookiesset">Duplicate cookies set</a></span>
<br><a class="PREVNEXT" href="#3">Previous</a>
&nbsp;<a class="PREVNEXT" href="#5">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>https://www.baidu.com</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The application attempted to set the following cookie to multiple values:<ul><li><b>BAIDUID</b></li></ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>The response contains two or more Set-Cookie headers that attempt to set the same cookie to different values. Browsers will only accept one of these values, typically the value in the last header. The presence of the duplicate headers may indicate a programming error.</p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/16.html">CWE-16: Configuration</a></li>
</ul></span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET / HTTP/1.1<br>Host: www.baidu.com<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en<br>User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)<br>Connection: close<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Bdpagetype: 1<br>Bdqid: 0xcbd633e3001bb730<br>Cache-Control: private<br>Content-Type: text/html;charset=utf-8<br>Date: Sun, 20 Mar 2022 08:13:48 GMT<br>Expires: Sun, 20 Mar 2022 08:13:43 GMT<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>Server: BWS/1.1<br><span class="HIGHLIGHT">Set-Cookie: BAIDUID=B24527D752029D12A554D889B42E8B59:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com</span><br>Set-Cookie: BIDUPSID=B24527D752029D12A554D889B42E8B59; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: PSTM=1647764028; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br><span class="HIGHLIGHT">Set-Cookie: BAIDUID=B24527D752029D1293FCA8A27FDD2AEF:FG=1; max-age=31536000; expires=Mon, 20-Mar-23 08:13:48 GMT; domain=.baidu.com; path=/; version=1; comment=bd</span><br>Set-Cookie: BDSVRTM=0; path=/<br>Set-Cookie: BD_HOME=1; path=/<br>Set-Cookie: H_PS_PSSID=36070_35106_31660_35978_34584_36142_36120_36075_36109_35984_35321_26350_36094_36062; path=/; domain=.baidu.com<br>Strict-Transport-Security: max-age=172800<br>Traceid: 1647764028045589761014687984284767860528<br>X-Frame-Options: sameorigin<br>X-Ua-Compatible: IE=Edge,chrome=1<br>Connection: close<br>Content-Length: 349370<br><br>&lt;!DOCTYPE html&gt;&lt;!--STATUS OK--&gt;<br><br><br>    &lt;html&gt;&lt;head&gt;&lt;meta http-equiv="Content-Type" content="text/html;charset=utf-8"&gt;&lt;meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"&gt;&lt;meta content="always"<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="5">5.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00500200_sslcookiewithoutsecureflagset">SSL cookie without secure flag set</a></span>
<br><a class="PREVNEXT" href="#4">Previous</a>
&nbsp;<a class="PREVNEXT" href="#6">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>https://www.baidu.com</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The following cookies were issued by the application and do not have the secure flag set:<ul><li>BAIDUID</li><li>BIDUPSID</li><li>PSTM</li><li>H_PS_PSSID</li></ul>The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.</span>
<h2>Issue background</h2>
<span class="TEXT"><p>If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain that issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.</p>
<p>To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.</p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/614.html">CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute</a></li>
</ul></span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET / HTTP/1.1<br>Host: www.baidu.com<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en<br>User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)<br>Connection: close<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Bdpagetype: 1<br>Bdqid: 0xcbd633e3001bb730<br>Cache-Control: private<br>Content-Type: text/html;charset=utf-8<br>Date: Sun, 20 Mar 2022 08:13:48 GMT<br>Expires: Sun, 20 Mar 2022 08:13:43 GMT<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>Server: BWS/1.1<br><span class="HIGHLIGHT">Set-Cookie: BAIDUID=B24527D752029D12A554D889B42E8B59:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com</span><br>Set-Cookie: BIDUPSID=B24527D752029D12A554D889B42E8B59; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: PSTM=1647764028; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br><span class="HIGHLIGHT">Set-Cookie: BAIDUID=B24527D752029D1293FCA8A27FDD2AEF:FG=1; max-age=31536000; expires=Mon, 20-Mar-23 08:13:48 GMT; domain=.baidu.com; path=/; version=1; comment=bd</span><span class="HIGHLIGHT"></span><span class="HIGHLIGHT"></span><br>Set-Cookie: BDSVRTM=0; path=/<br>Set-Cookie: BD_HOME=1; path=/<br><span class="HIGHLIGHT">Set-Cookie: H_PS_PSSID=36070_35106_31660_35978_34584_36142_36120_36075_36109_35984_35321_26350_36094_36062; path=/; domain=.baidu.com</span><br>Strict-Transport-Security: max-age=172800<br>Traceid: 1647764028045589761014687984284767860528<br>X-Frame-Options: sameorigin<br>X-Ua-Compatible: IE=Edge,chrome=1<br>Connection: close<br>Content-Length: 349370<br><br>&lt;!DOCTYPE html&gt;&lt;!--STATUS OK--&gt;<br><br><br>    &lt;html&gt;&lt;head&gt;&lt;meta http-equiv="Content-Type" content="text/html;charset=utf-8"&gt;&lt;meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"&gt;&lt;meta content="always"<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="6">6.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00500300_cookiescopedtoparentdomain">Cookie scoped to parent domain</a></span>
<br><a class="PREVNEXT" href="#5">Previous</a>
&nbsp;<a class="PREVNEXT" href="#7">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>https://www.baidu.com</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The following cookies were issued by the application and are scoped to a parent of the issuing domain:<ul><li>BAIDUID</li><li>BIDUPSID</li><li>PSTM</li><li>H_PS_PSSID</li></ul>The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.</span>
<h2>Issue background</h2>
<span class="TEXT"><p>A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>By default, cookies are scoped to the issuing domain, and on IE/Edge to subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems that support those applications.</p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/16.html">CWE-16: Configuration</a></li>
</ul></span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET / HTTP/1.1<br>Host: www.baidu.com<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en<br>User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)<br>Connection: close<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Bdpagetype: 1<br>Bdqid: 0xcbd633e3001bb730<br>Cache-Control: private<br>Content-Type: text/html;charset=utf-8<br>Date: Sun, 20 Mar 2022 08:13:48 GMT<br>Expires: Sun, 20 Mar 2022 08:13:43 GMT<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>Server: BWS/1.1<br><span class="HIGHLIGHT">Set-Cookie: BAIDUID=B24527D752029D12A554D889B42E8B59:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com</span><br>Set-Cookie: BIDUPSID=B24527D752029D12A554D889B42E8B59; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: PSTM=1647764028; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br><span class="HIGHLIGHT">Set-Cookie: BAIDUID=B24527D752029D1293FCA8A27FDD2AEF:FG=1; max-age=31536000; expires=Mon, 20-Mar-23 08:13:48 GMT; domain=.baidu.com; path=/; version=1; comment=bd</span><span class="HIGHLIGHT"></span><span class="HIGHLIGHT"></span><br>Set-Cookie: BDSVRTM=0; path=/<br>Set-Cookie: BD_HOME=1; path=/<br><span class="HIGHLIGHT">Set-Cookie: H_PS_PSSID=36070_35106_31660_35978_34584_36142_36120_36075_36109_35984_35321_26350_36094_36062; path=/; domain=.baidu.com</span><br>Strict-Transport-Security: max-age=172800<br>Traceid: 1647764028045589761014687984284767860528<br>X-Frame-Options: sameorigin<br>X-Ua-Compatible: IE=Edge,chrome=1<br>Connection: close<br>Content-Length: 349370<br><br>&lt;!DOCTYPE html&gt;&lt;!--STATUS OK--&gt;<br><br><br>    &lt;html&gt;&lt;head&gt;&lt;meta http-equiv="Content-Type" content="text/html;charset=utf-8"&gt;&lt;meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"&gt;&lt;meta content="always"<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="7">7.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00500500_crossdomainscriptinclude">Cross-domain script include</a></span>
<br><a class="PREVNEXT" href="#6">Previous</a>
&nbsp;<a class="PREVNEXT" href="#8">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>https://www.baidu.com</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The response dynamically includes the following scripts from other domains:<ul><li>https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/components/hotsearch-a66606178c.js</li><li>https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/lib/esl-d776bfb1aa.js</li><li>https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/lib/jquery-1-edb203c114.10.2.js</li><li>https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/min_super-7ddd157405.js</li><li>https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/s_super_index-3fffae8d60.js</li><li>https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/sbase-647f83a3dd.js</li><li>https://pss.bdstatic.com/r/www/cache/static/protocol/https/bundles/polyfill_9354efa.js</li><li>https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js</li></ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.</p>
<p>If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application. </p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>Scripts should not be included from untrusted domains. Applications that rely on third-party scripts should consider copying the contents of these scripts onto their own domain and including them from there. If that is not possible (e.g. for licensing reasons) then consider reimplementing the script's functionality within application code.</p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/829.html">CWE-829: Inclusion of Functionality from Untrusted Control Sphere</a></li>
</ul></span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET / HTTP/1.1<br>Host: www.baidu.com<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en<br>User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)<br>Connection: close<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Bdpagetype: 1<br>Bdqid: 0xcbd633e3001bb730<br>Cache-Control: private<br>Content-Type: text/html;charset=utf-8<br>Date: Sun, 20 Mar 2022 08:13:48 GMT<br>Expires: Sun, 20 Mar 2022 08:13:43 GMT<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>Server: BWS/1.1<br>Set-Cookie: BAIDUID=B24527D752029D12A554D889B42E8B59:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: BIDUPSID=B24527D752029D12A554D889B42E8B59; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: PSTM=1647764028; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: BAIDUID=B24527D752029D1293FCA8A27FDD2AEF:FG=1; max-age=31536000; expires=Mon, 20-Mar-23 08:13:48 GMT; domain=.baidu.com; path=/; version=1; comment=bd<br>Set-Cookie: BDSVRTM=0; path=/<br>Set-Cookie: BD_HOME=1; path=/<br>Set-Cookie: H_PS_PSSID=36070_35106_31660_35978_34584_36142_36120_36075_36109_35984_35321_26350_36094_36062; path=/; domain=.baidu.com<br>Strict-Transport-Security: max-age=172800<br>Traceid: 1647764028045589761014687984284767860528<br>X-Frame-Options: sameorigin<br>X-Ua-Compatible: IE=Edge,chrome=1<br>Connection: close<br>Content-Length: 349370<br><br>&lt;!DOCTYPE html&gt;&lt;!--STATUS OK--&gt;<br><br><br>    &lt;html&gt;&lt;head&gt;&lt;meta http-equiv="Content-Type" content="text/html;charset=utf-8"&gt;&lt;meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"&gt;&lt;meta content="always"<br><b>...[SNIP]...</b><br>&lt;/script&gt;<br><br><span class="HIGHLIGHT">&lt;script type="text/javascript" src="https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/lib/jquery-1-edb203c114.10.2.js"&gt;</span>&lt;/script&gt;<br><br><span class="HIGHLIGHT">&lt;script type="text/javascript" src="https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/lib/esl-d776bfb1aa.js"&gt;</span>&lt;/script&gt;<br><b>...[SNIP]...</b><br>&lt;![endif]--&gt; <br><br><span class="HIGHLIGHT">&lt;script type="text/javascript" src="https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/sbase-647f83a3dd.js"&gt;</span>&lt;/script&gt;<br><b>...[SNIP]...</b><br>&lt;/script&gt;<br>    <span class="HIGHLIGHT">&lt;script src="https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/s_super_index-3fffae8d60.js"&gt;</span>&lt;/script&gt;<br>    <span class="HIGHLIGHT">&lt;script src="https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/min_super-7ddd157405.js"&gt;</span>&lt;/script&gt;<br><b>...[SNIP]...</b><br>&lt;/script&gt;<br>            <br><br>            <span class="HIGHLIGHT">&lt;script src="https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/components/hotsearch-a66606178c.js"&gt;</span><span class="HIGHLIGHT"></span><span class="HIGHLIGHT"></span>&lt;/script&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="8">8.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00500600_cookiewithouthttponlyflagset">Cookie without HttpOnly flag set</a></span>
<br><a class="PREVNEXT" href="#7">Previous</a>
&nbsp;<a class="PREVNEXT" href="#9">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>https://www.baidu.com</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The following cookies were issued by the application and do not have the HttpOnly flag set:<ul><li>BAIDUID</li><li>BIDUPSID</li><li>PSTM</li><li>H_PS_PSSID</li></ul>The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.</span>
<h2>Issue background</h2>
<span class="TEXT"><p>If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure makes certain client-side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie's value via an injected script.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.</p>
<p>You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing. </p></span>
<h2>References</h2>
<span class="TEXT"><ul>
<li><a href='https://www.owasp.org/index.php/HttpOnly'>Configuring HttpOnly</a></li>
</ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/16.html">CWE-16: Configuration</a></li>
</ul></span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET / HTTP/1.1<br>Host: www.baidu.com<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en<br>User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)<br>Connection: close<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Bdpagetype: 1<br>Bdqid: 0xcbd633e3001bb730<br>Cache-Control: private<br>Content-Type: text/html;charset=utf-8<br>Date: Sun, 20 Mar 2022 08:13:48 GMT<br>Expires: Sun, 20 Mar 2022 08:13:43 GMT<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>Server: BWS/1.1<br><span class="HIGHLIGHT">Set-Cookie: BAIDUID=B24527D752029D12A554D889B42E8B59:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com</span><br>Set-Cookie: BIDUPSID=B24527D752029D12A554D889B42E8B59; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: PSTM=1647764028; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br><span class="HIGHLIGHT">Set-Cookie: BAIDUID=B24527D752029D1293FCA8A27FDD2AEF:FG=1; max-age=31536000; expires=Mon, 20-Mar-23 08:13:48 GMT; domain=.baidu.com; path=/; version=1; comment=bd</span><span class="HIGHLIGHT"></span><span class="HIGHLIGHT"></span><br>Set-Cookie: BDSVRTM=0; path=/<br>Set-Cookie: BD_HOME=1; path=/<br><span class="HIGHLIGHT">Set-Cookie: H_PS_PSSID=36070_35106_31660_35978_34584_36142_36120_36075_36109_35984_35321_26350_36094_36062; path=/; domain=.baidu.com</span><br>Strict-Transport-Security: max-age=172800<br>Traceid: 1647764028045589761014687984284767860528<br>X-Frame-Options: sameorigin<br>X-Ua-Compatible: IE=Edge,chrome=1<br>Connection: close<br>Content-Length: 349370<br><br>&lt;!DOCTYPE html&gt;&lt;!--STATUS OK--&gt;<br><br><br>    &lt;html&gt;&lt;head&gt;&lt;meta http-equiv="Content-Type" content="text/html;charset=utf-8"&gt;&lt;meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"&gt;&lt;meta content="always"<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="9">9.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00500f00_html5storagemanipulationdombased">HTML5 storage manipulation (DOM-based)</a></span>
<br><a class="PREVNEXT" href="#8">Previous</a>
&nbsp;<a class="PREVNEXT" href="#10">Next</a>
<br>
<br><span class="TEXT">There are 3 instances of this issue:
<ul>
<li><a href="#9.1">/</a></li>
<li><a href="#9.2">/</a></li>
<li><a href="#9.3">/</a></li>
</ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of the DOM (for example, the URL) and processes this data in an unsafe way.</p>
<p>HTML5 storage manipulation arises when a script stores controllable data in the HTML5 storage of the web browser (either localStorage or sessionStorage). An attacker may be able to use this behavior to construct a URL that, if visited by another application user, will cause the user's browser to store attacker-controllable data.</p>
<p>This behavior does not in itself constitute a security vulnerability. However, if the application later reads the data back from storage and processes it in an unsafe way, then an attacker may be able to leverage the storage mechanism to deliver other DOM-based attacks, such as cross-site scripting and JavaScript injection.
</p>

<p>Burp Suite automatically identifies this issue using static code analysis, which may lead to false positives that are not actually exploitable. The relevant code and execution paths should be reviewed to determine whether this vulnerability is indeed present, or whether mitigations are in place that would prevent exploitation.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>The most effective way to avoid DOM-based HTML5 storage manipulation is not to place in HTML5 storage any data that originated from any untrusted source. If the desired functionality of the application means that this behavior is unavoidable, then defenses must be implemented within the client-side code to prevent malicious data from being stored.</p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input Validation</a></li>
</ul></span>
<br><br><div class="rule"></div>
<span class="BODH1" id="9.1">9.1.&nbsp;https://www.baidu.com/</span>
<br><a class="PREVNEXT" href="#3.2">Previous</a>
&nbsp;<a class="PREVNEXT" href="#9.2">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>https://www.baidu.com</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The application may be vulnerable to DOM-based HTML5 storage manipulation. Data is read from <b>location.href</b> and passed to <b>localStorage.setItem.value</b>.</span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET / HTTP/1.1<br>Host: www.baidu.com<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en<br>User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)<br>Connection: close<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Bdpagetype: 1<br>Bdqid: 0xcbd633e3001bb730<br>Cache-Control: private<br>Content-Type: text/html;charset=utf-8<br>Date: Sun, 20 Mar 2022 08:13:48 GMT<br>Expires: Sun, 20 Mar 2022 08:13:43 GMT<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>Server: BWS/1.1<br>Set-Cookie: BAIDUID=B24527D752029D12A554D889B42E8B59:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: BIDUPSID=B24527D752029D12A554D889B42E8B59; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: PSTM=1647764028; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: BAIDUID=B24527D752029D1293FCA8A27FDD2AEF:FG=1; max-age=31536000; expires=Mon, 20-Mar-23 08:13:48 GMT; domain=.baidu.com; path=/; version=1; comment=bd<br>Set-Cookie: BDSVRTM=0; path=/<br>Set-Cookie: BD_HOME=1; path=/<br>Set-Cookie: H_PS_PSSID=36070_35106_31660_35978_34584_36142_36120_36075_36109_35984_35321_26350_36094_36062; path=/; domain=.baidu.com<br>Strict-Transport-Security: max-age=172800<br>Traceid: 1647764028045589761014687984284767860528<br>X-Frame-Options: sameorigin<br>X-Ua-Compatible: IE=Edge,chrome=1<br>Connection: close<br>Content-Length: 349370<br><br>&lt;!DOCTYPE html&gt;&lt;!--STATUS OK--&gt;<br><br><br>    &lt;html&gt;&lt;head&gt;&lt;meta http-equiv="Content-Type" content="text/html;charset=utf-8"&gt;&lt;meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"&gt;&lt;meta content="always"<br><b>...[SNIP]...</b><br></span></div>
<h2>Dynamic analysis</h2><p>Data is read from <b>location.href</b> and passed to <b>localStorage.setItem.value</b>.</p><p>The following value was injected into the source:</p><pre>https://www.baidu.com/?lrf7zz=lrf7zz%27%22`'"/lrf7zz/&gt;&lt;lrf7zz/\&gt;rcfigy&amp;</pre><p>The previous value reached the sink as:</p><pre><br>{"from":"result","info":{"downlink":1.95,"effectiveType":"4g","rtt":100,"deviceMemory":8,"hardwareConcurrency":4,"saveData":false,"msg":"https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/img/topnav/newfanyi-da0cea8f7e.png","errLen":1,"xpath":"id(\"s-top-more\")/DIV[1]/A[1]/IMG[1]"},"lid":"cbd633e3001bb4dd","group":"imgError","ts":1647764061548,"url":"https://www.baidu.com/?xaphmy=xaphmy%27%22`'\"/xaphmy/&gt;&lt;xaphmy/\\&gt;wgjuws&amp;"}<br>{"group":"perf","from":"index","ts":1647764062458,"info":{"req":0,"resp":191,"tcp":0,"domLoading":183,"domReady":1666,"domTime":1483,"usedJSHeapSize":9765.625,"usedJSHeapRate":78.74015748031496},"type":"pf_comm","url":"https://www.baidu.com/?lrf7zz=lrf7zz%27%22`'\"/lrf7zz/&gt;&lt;lrf7zz/\\&gt;rcfigy&amp;","lid":"cbd633e3001bb4dd"}</pre><p>The stack trace at the source was:</p><pre>at Object.get href [as href] (&lt;anonymous&gt;:1699:56)<br>at e.sendLog (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:195:496)<br>at e.sendHomeLog (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:201:420)<br>at new e (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:199:506)<br>at t.create (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:575:381)<br>at e.create (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:569:95)<br>at e.domReady (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:759:97)<br>at HTMLDocument.&lt;anonymous&gt; (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:768:265)<br>at fire (https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/lib/jquery-1-edb203c114.10.2.js:87:190)<br>at Object.fireWith [as resolveWith] (https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/lib/jquery-1-edb203c114.10.2.js:89:491)<br>at Function.ready (https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/lib/jquery-1-edb203c114.10.2.js:11:134)<br>at HTMLDocument.completed (https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/lib/jquery-1-edb203c114.10.2.js:3:233)</pre><p>The stack trace at the sink was:</p><pre>at Storage.setItem (&lt;anonymous&gt;:1773:25)<br>at n.set (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:750:50)<br>at https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:754:422<br>at https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:754:43<br>at n.get (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:750:191)<br>at https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:753:419<br>at n.get (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:750:191)<br>at e.getData (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:753:375)<br>at e.save (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:754:136)<br>at Arguments.&lt;anonymous&gt; (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:753:284)<br>at &lt;anonymous&gt;:1932:37<br>at e.addLog (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:753:260)<br>at e.sendLog (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:195:440)<br>at e.sendHomeLog (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:201:420)<br>at new e (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:199:506)<br>at t.create (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:575:381)<br>at e.create (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:569:95)<br>at e.domReady (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:759:97)<br>at HTMLDocument.&lt;anonymous&gt; (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:768:265)<br>at fire (https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/lib/jquery-1-edb203c114.10.2.js:87:190)<br>at Object.fireWith [as resolveWith] (https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/lib/jquery-1-edb203c114.10.2.js:89:491)<br>at Function.ready (https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/lib/jquery-1-edb203c114.10.2.js:11:134)<br>at HTMLDocument.completed (https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/lib/jquery-1-edb203c114.10.2.js:3:233)</pre><div class="rule"></div>
<span class="BODH1" id="9.2">9.2.&nbsp;https://www.baidu.com/</span>
<br><a class="PREVNEXT" href="#9.1">Previous</a>
&nbsp;<a class="PREVNEXT" href="#9.3">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>https://www.baidu.com</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The application may be vulnerable to DOM-based HTML5 storage manipulation. Data is read from <b>location.href</b> and passed to <b>localStorage.setItem.value</b>.</span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET / HTTP/1.1<br>Host: www.baidu.com<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en<br>User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)<br>Connection: close<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Bdpagetype: 1<br>Bdqid: 0xcbd633e3001bb730<br>Cache-Control: private<br>Content-Type: text/html;charset=utf-8<br>Date: Sun, 20 Mar 2022 08:13:48 GMT<br>Expires: Sun, 20 Mar 2022 08:13:43 GMT<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>Server: BWS/1.1<br>Set-Cookie: BAIDUID=B24527D752029D12A554D889B42E8B59:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: BIDUPSID=B24527D752029D12A554D889B42E8B59; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: PSTM=1647764028; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: BAIDUID=B24527D752029D1293FCA8A27FDD2AEF:FG=1; max-age=31536000; expires=Mon, 20-Mar-23 08:13:48 GMT; domain=.baidu.com; path=/; version=1; comment=bd<br>Set-Cookie: BDSVRTM=0; path=/<br>Set-Cookie: BD_HOME=1; path=/<br>Set-Cookie: H_PS_PSSID=36070_35106_31660_35978_34584_36142_36120_36075_36109_35984_35321_26350_36094_36062; path=/; domain=.baidu.com<br>Strict-Transport-Security: max-age=172800<br>Traceid: 1647764028045589761014687984284767860528<br>X-Frame-Options: sameorigin<br>X-Ua-Compatible: IE=Edge,chrome=1<br>Connection: close<br>Content-Length: 349370<br><br>&lt;!DOCTYPE html&gt;&lt;!--STATUS OK--&gt;<br><br><br>    &lt;html&gt;&lt;head&gt;&lt;meta http-equiv="Content-Type" content="text/html;charset=utf-8"&gt;&lt;meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"&gt;&lt;meta content="always"<br><b>...[SNIP]...</b><br></span></div>
<h2>Dynamic analysis</h2><p>Data is read from <b>location.href</b> and passed to <b>localStorage.setItem.value</b>.</p><p>The following value was injected into the source:</p><pre>https://www.baidu.com/?xaphmy=xaphmy%27%22`'"/xaphmy/&gt;&lt;xaphmy/\&gt;wgjuws&amp;</pre><p>The previous value reached the sink as:</p><pre><br>{"from":"result","info":{"downlink":1.95,"effectiveType":"4g","rtt":100,"deviceMemory":8,"hardwareConcurrency":4,"saveData":false,"msg":"https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/img/topnav/newfanyi-da0cea8f7e.png","errLen":1,"xpath":"id(\"s-top-more\")/DIV[1]/A[1]/IMG[1]"},"lid":"cbd633e3001bb4dd","group":"imgError","ts":1647764061548,"url":"https://www.baidu.com/?xaphmy=xaphmy%27%22`'\"/xaphmy/&gt;&lt;xaphmy/\\&gt;wgjuws&amp;"}<br>{"group":"perf","from":"index","ts":1647764062458,"info":{"req":0,"resp":191,"tcp":0,"domLoading":183,"domReady":1666,"domTime":1483,"usedJSHeapSize":9765.625,"usedJSHeapRate":78.74015748031496},"type":"pf_comm","url":"https://www.baidu.com/?lrf7zz=lrf7zz%27%22`'\"/lrf7zz/&gt;&lt;lrf7zz/\\&gt;rcfigy&amp;","lid":"cbd633e3001bb4dd"}</pre><p>The stack trace at the source was:</p><pre>at Object.get href [as href] (&lt;anonymous&gt;:1699:56)<br>at send (https://www.baidu.com/:41:60)<br>at imgError (https://www.baidu.com/:44:456)<br>at sourceError (https://www.baidu.com/:46:12)</pre><p>The stack trace at the sink was:</p><pre>at Storage.setItem (&lt;anonymous&gt;:1773:25)<br>at n.set (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:750:50)<br>at https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:754:422<br>at https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:754:43<br>at n.get (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:750:191)<br>at https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:753:419<br>at n.get (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:750:191)<br>at e.getData (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:753:375)<br>at e.save (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:754:136)<br>at Arguments.&lt;anonymous&gt; (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:753:284)<br>at &lt;anonymous&gt;:1932:37<br>at e.addLog (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:753:260)<br>at e.sendLog (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:195:440)<br>at e.sendHomeLog (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:201:420)<br>at new e (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:199:506)<br>at t.create (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:575:381)<br>at e.create (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:569:95)<br>at e.domReady (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:759:97)<br>at HTMLDocument.&lt;anonymous&gt; (https://pss.bdstatic.com/r/www/cache/static/protocol/https/global/js/all_async_search_134ff59.js:768:265)<br>at fire (https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/lib/jquery-1-edb203c114.10.2.js:87:190)<br>at Object.fireWith [as resolveWith] (https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/lib/jquery-1-edb203c114.10.2.js:89:491)<br>at Function.ready (https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/lib/jquery-1-edb203c114.10.2.js:11:134)<br>at HTMLDocument.completed (https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/js/lib/jquery-1-edb203c114.10.2.js:3:233)</pre><div class="rule"></div>
<span class="BODH1" id="9.3">9.3.&nbsp;https://www.baidu.com/</span>
<br><a class="PREVNEXT" href="#9.2">Previous</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>https://www.baidu.com</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The application may be vulnerable to DOM-based HTML5 storage manipulation. Data is read from <b>location.href</b> and passed to <b>localStorage.setItem.value</b>.</span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET / HTTP/1.1<br>Host: www.baidu.com<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en<br>User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)<br>Connection: close<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Bdpagetype: 1<br>Bdqid: 0xcbd633e3001bb730<br>Cache-Control: private<br>Content-Type: text/html;charset=utf-8<br>Date: Sun, 20 Mar 2022 08:13:48 GMT<br>Expires: Sun, 20 Mar 2022 08:13:43 GMT<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>Server: BWS/1.1<br>Set-Cookie: BAIDUID=B24527D752029D12A554D889B42E8B59:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: BIDUPSID=B24527D752029D12A554D889B42E8B59; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: PSTM=1647764028; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: BAIDUID=B24527D752029D1293FCA8A27FDD2AEF:FG=1; max-age=31536000; expires=Mon, 20-Mar-23 08:13:48 GMT; domain=.baidu.com; path=/; version=1; comment=bd<br>Set-Cookie: BDSVRTM=0; path=/<br>Set-Cookie: BD_HOME=1; path=/<br>Set-Cookie: H_PS_PSSID=36070_35106_31660_35978_34584_36142_36120_36075_36109_35984_35321_26350_36094_36062; path=/; domain=.baidu.com<br>Strict-Transport-Security: max-age=172800<br>Traceid: 1647764028045589761014687984284767860528<br>X-Frame-Options: sameorigin<br>X-Ua-Compatible: IE=Edge,chrome=1<br>Connection: close<br>Content-Length: 349370<br><br>&lt;!DOCTYPE html&gt;&lt;!--STATUS OK--&gt;<br><br><br>    &lt;html&gt;&lt;head&gt;&lt;meta http-equiv="Content-Type" content="text/html;charset=utf-8"&gt;&lt;meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"&gt;&lt;meta content="always"<br><b>...[SNIP]...</b><br></span></div>
<h2>Dynamic analysis</h2><p>Data is read from <b>location.href</b> and passed to <b>localStorage.setItem.value</b>.</p><p>The following value was injected into the source:</p><pre>https://www.baidu.com/?xaphmy=xaphmy%27%22`'"/xaphmy/&gt;&lt;xaphmy/\&gt;wgjuws&amp;</pre><p>The previous value reached the sink as:</p><pre><br>{"from":"result","info":{"downlink":1.95,"effectiveType":"4g","rtt":100,"deviceMemory":8,"hardwareConcurrency":4,"saveData":false,"msg":"https://dss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/img/topnav/newfanyi-da0cea8f7e.png","errLen":1,"xpath":"id(\"s-top-more\")/DIV[1]/A[1]/IMG[1]"},"lid":"cbd633e3001bb4dd","group":"imgError","ts":1647764061548,"url":"https://www.baidu.com/?xaphmy=xaphmy%27%22`'\"/xaphmy/&gt;&lt;xaphmy/\\&gt;wgjuws&amp;"}</pre><p>The stack trace at the source was:</p><pre>at Object.get href [as href] (&lt;anonymous&gt;:1699:56)<br>at send (https://www.baidu.com/:41:60)<br>at imgError (https://www.baidu.com/:44:456)<br>at sourceError (https://www.baidu.com/:46:12)</pre><p>The stack trace at the sink was:</p><pre>at Storage.setItem (&lt;anonymous&gt;:1773:25)<br>at https://www.baidu.com/:39:370<br>at LocalCache.getData (https://www.baidu.com/:39:185)<br>at LocalCache.save (https://www.baidu.com/:39:284)<br>at Arguments.&lt;anonymous&gt; (https://www.baidu.com/:39:40)<br>at &lt;anonymous&gt;:1932:37<br>at LocalCache.addLog (https://www.baidu.com/:39:12)<br>at send (https://www.baidu.com/:40:470)<br>at imgError (https://www.baidu.com/:44:456)<br>at sourceError (https://www.baidu.com/:46:12)</pre><div class="rule"></div>
<span class="BODH0" id="10">10.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00600600_robotsdottxtfile">Robots.txt file</a></span>
<br><a class="PREVNEXT" href="#9">Previous</a>
&nbsp;<a class="PREVNEXT" href="#11">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>https://www.baidu.com</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/robots.txt</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The web server contains a robots.txt file.</span>
<h2>Issue background</h2>
<span class="TEXT"><p>The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site that robots are allowed, or not allowed, to crawl and index.</p>
<p>The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honor the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorized access.</p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200: Information Exposure</a></li>
</ul></span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET <span class="HIGHLIGHT">/robots.txt</span> HTTP/1.1<br>Host: www.baidu.com<br>Connection: close<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Accept-Ranges: bytes<br>Content-Length: 2814<br>Content-Type: text/plain<br>Date: Sun, 20 Mar 2022 08:13:51 GMT<br>Etag: "afe-59b382b37195d"<br>Last-Modified: Fri, 03 Jan 2020 08:33:49 GMT<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>Server: Apache<br>Set-Cookie: BAIDUID=583E383F9D137BCBFAFEABE5F5B2E2D2:FG=1; expires=Mon, 20-Mar-23 08:13:51 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1<br>Vary: Accept-Encoding,User-Agent<br>Connection: close<br><br>User-agent: Baiduspider<br>Disallow: /baidu<br>Disallow: /s?<br>Disallow: /ulink?<br>Disallow: /link?<br>Disallow: /home/news/data/<br>Disallow: /bh<br><br>User-agent: Googlebot<br>Disallow: /baidu<br>Disallow: /s?<br>Disallow: /shif<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="11">11.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00700100_cacheablehttpsresponse">Cacheable HTTPS response</a></span>
<br><a class="PREVNEXT" href="#10">Previous</a>
&nbsp;<a class="PREVNEXT" href="#12">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>https://www.baidu.com</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue description</h2>
<span class="TEXT"><p>Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>Applications should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:</p>
<ul>
<li>Cache-control: no-store</li><li>Pragma: no-cache</li></ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/524.html">CWE-524: Information Exposure Through Caching</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/525.html">CWE-525: Information Exposure Through Browser Caching</a></li>
</ul></span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET / HTTP/1.1<br>Host: www.baidu.com<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en<br>User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)<br>Connection: close<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Bdpagetype: 1<br>Bdqid: 0xcbd633e3001bb730<br><span class="HIGHLIGHT">Cache-Control: private</span><br>Content-Type: text/html;charset=utf-8<br>Date: Sun, 20 Mar 2022 08:13:48 GMT<br>Expires: Sun, 20 Mar 2022 08:13:43 GMT<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>P3p: CP=" OTI DSP COR IVA OUR IND COM "<br>Server: BWS/1.1<br>Set-Cookie: BAIDUID=B24527D752029D12A554D889B42E8B59:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: BIDUPSID=B24527D752029D12A554D889B42E8B59; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: PSTM=1647764028; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com<br>Set-Cookie: BAIDUID=B24527D752029D1293FCA8A27FDD2AEF:FG=1; max-age=31536000; expires=Mon, 20-Mar-23 08:13:48 GMT; domain=.baidu.com; path=/; version=1; comment=bd<br>Set-Cookie: BDSVRTM=0; path=/<br>Set-Cookie: BD_HOME=1; path=/<br>Set-Cookie: H_PS_PSSID=36070_35106_31660_35978_34584_36142_36120_36075_36109_35984_35321_26350_36094_36062; path=/; domain=.baidu.com<br>Strict-Transport-Security: max-age=172800<br>Traceid: 1647764028045589761014687984284767860528<br>X-Frame-Options: sameorigin<br>X-Ua-Compatible: IE=Edge,chrome=1<br>Connection: close<br>Content-Length: 349370<br><br>&lt;!DOCTYPE html&gt;&lt;!--STATUS OK--&gt;<br><br><br>    &lt;html&gt;&lt;head&gt;&lt;meta http-equiv="Content-Type" content="text/html;charset=utf-8"&gt;&lt;meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"&gt;&lt;meta content="always"<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="12">12.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/01000100_sslcertificate">SSL certificate</a></span>
<br><a class="PREVNEXT" href="#11">Previous</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>https://www.baidu.com</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The server presented a valid, trusted SSL certificate. This issue is purely informational.<br><br>The server presented the following certificates:<br><br><h4>Server certificate</h4><table><tr><td><b>Issued to:</b>&nbsp;&nbsp;</td><td>baidu.com, click.hm.baidu.com, cm.pos.baidu.com, log.hm.baidu.com, update.pan.baidu.com, wn.pos.baidu.com, *.91.com, *.aipage.cn, *.aipage.com, *.apollo.auto, *.baidu.com, *.baidubce.com, *.baiducontent.com, *.baidupcs.com, *.baidustatic.com, *.baifubao.com, *.bce.baidu.com, *.bcehost.com, *.bdimg.com, *.bdstatic.com, *.bdtjrcv.com, *.bj.baidubce.com, *.chuanke.com, *.cloud.baidu.com, *.dlnel.com, *.dlnel.org, *.dueros.baidu.com, *.eyun.baidu.com, *.fanyi.baidu.com, *.gz.baidubce.com, *.hao123.baidu.com, *.hao123.com, *.hao222.com, *.haokan.com, *.im.baidu.com, *.map.baidu.com, *.mbd.baidu.com, *.mipcdn.com, *.news.baidu.com, *.nuomi.com, *.pae.baidu.com, *.safe.baidu.com, *.smartapps.cn, *.su.baidu.com, *.trustgo.com, *.vd.bdstatic.com, *.xueshu.baidu.com, apollo.auto, baifubao.com, dwz.cn, mct.y.nuomi.com, www.baidu.cn, www.baidu.com.cn</td></tr><tr><td><b>Issued by:</b>&nbsp;&nbsp;</td><td>GlobalSign Organization Validation CA - SHA256 - G2</td></tr><tr><td><b>Valid from:</b>&nbsp;&nbsp;</td><td>Mon Feb 21 16:42:02 CST 2022</td></tr><tr><td><b>Valid to:</b>&nbsp;&nbsp;</td><td>Tue Aug 02 09:16:03 CST 2022</td></tr></table><h4>Certificate chain #1</h4><table><tr><td><b>Issued to:</b>&nbsp;&nbsp;</td><td>GlobalSign Organization Validation CA - SHA256 - G2</td></tr><tr><td><b>Issued by:</b>&nbsp;&nbsp;</td><td>GlobalSign Root CA</td></tr><tr><td><b>Valid from:</b>&nbsp;&nbsp;</td><td>Thu Feb 20 18:00:00 CST 2014</td></tr><tr><td><b>Valid to:</b>&nbsp;&nbsp;</td><td>Tue Feb 20 18:00:00 CST 2024</td></tr></table><h4>Certificate chain #2</h4><table><tr><td><b>Issued to:</b>&nbsp;&nbsp;</td><td>GlobalSign Root CA</td></tr><tr><td><b>Issued by:</b>&nbsp;&nbsp;</td><td>GlobalSign Root CA</td></tr><tr><td><b>Valid from:</b>&nbsp;&nbsp;</td><td>Tue Sep 01 20:00:00 CST 1998</td></tr><tr><td><b>Valid to:</b>&nbsp;&nbsp;</td><td>Fri Jan 28 20:00:00 CST 2028</td></tr></table></span>
<h2>Issue background</h2>
<span class="TEXT"><p>SSL (or TLS) helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate that is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.</p>
<p>It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections in particular. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used. </p></span>
<h2>References</h2>
<span class="TEXT"><ul><li><a href="https://wiki.mozilla.org/Security/Server_Side_TLS">SSL/TLS Configuration Guide</a></li></ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/295.html">CWE-295: Improper Certificate Validation</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/327.html">CWE-327: Use of a Broken or Risky Cryptographic Algorithm</a></li>
</ul></span>
<div class="rule"></div>
<span class="TEXT"><br>Report generated by Burp Suite <a href="https://portswigger.net/vulnerability-scanner/">web vulnerability scanner</a> v2.0.05beta, at Sun Mar 20 16:17:32 CST 2022.<br><br></span>
</div>
</body>
</html>
